fix: use connect_pass_through flag instead of workaround for TCP regression (#9506)

* Revert "fix: strips CF-Connecting-IP header within Wrangler (#9246)"

This reverts commit d033a7d.

* feat: add connect_pass_through compatibility flag to globalOutbound worker

Add the connect_pass_through compatibility flag to the outbound service worker
that strips CF-Connecting-IP headers. This resolves the TCP connection regression
that was introduced when using globalOutbound service with workerd's connect() API.

The connect_pass_through flag was added in workerd PR #4171 to fix the underlying
issue, allowing us to remove the JavaScript injection workaround and use the
cleaner global outbound approach.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <[email protected]>

* fix: add connect_pass_through and experimental compat flags, add changeset

- Add 'experimental' compat flag alongside 'connect_pass_through'
- Add changeset for the TCP regression fix
- The deleted test was specific to the workaround we're replacing

* human fixups

* fix lockfile

* fix lockfile

* fix lockfile

---------

Co-authored-by: Claude <[email protected]>

Author: penalosa

.changeset/fix-tcp-regression-connect-pass-through.md

@@ -0,0 +1,6 @@
+---
+"miniflare": patch
+"wrangler": patch
+---
+
+Strip the `CF-Connecting-IP` header from outgoing fetches

packages/miniflare/src/plugins/core/index.ts

@@ -165,9 +165,7 @@ const CoreOptionsSchemaInput = z.intersection(
 		tails: z.array(ServiceDesignatorSchema).optional(),
 
 		// Strip the CF-Connecting-IP header from outbound fetches
-		// There is an issue with the connect() API and the globalOutbound workerd setting that impacts TCP ingress
-		// We should default it to true once https://github.com/cloudflare/workerd/pull/4145 is resolved
-		stripCfConnectingIp: z.boolean().default(false),
+		stripCfConnectingIp: z.boolean().default(true),
 	})
 );
 export const CoreOptionsSchema = CoreOptionsSchemaInput.transform((value) => {
@@ -839,6 +837,7 @@ export const CORE_PLUGIN: Plugin<
 						},
 					],
 					compatibilityDate: "2025-01-01",
+					compatibilityFlags: ["connect_pass_through", "experimental"],
 					globalOutbound: getGlobalOutbound(workerIndex, options),
 				},
 			});

packages/miniflare/test/index.spec.ts

@@ -3035,7 +3035,6 @@ test("Miniflare: strips CF-Connecting-IP", async (t) => {
 	const client = new Miniflare({
 		script: `export default { fetch(request) { return fetch('${serverUrl.href}', {headers: {"CF-Connecting-IP":"fake-value"}}) } }`,
 		modules: true,
-		stripCfConnectingIp: true,
 	});
 	t.teardown(() => client.dispose());
 	t.teardown(() => server.dispose());

packages/unenv-preset/package.json

@@ -54,7 +54,7 @@
 	},
 	"peerDependencies": {
 		"unenv": "2.0.0-rc.17",
-		"workerd": "^1.20250508.0"
+		"workerd": "^1.20250521.0"
 	},
 	"peerDependenciesMeta": {
 		"workerd": {

packages/wrangler/src/__tests__/api/startDevWorker/startWorker.test.ts

@@ -261,32 +261,6 @@ export async function bundleWorker(
 		inject.push(checkedFetchFileToInject);
 	}
 
-	// We injected the `CF-Connecting-IP` header in the entry worker on Miniflare.
-	// It used to be stripped by Miniflare, but that caused TCP ingress failures
-	// because of the global outbound setup. This is a temporary workaround until
-	// a proper fix is landed in Workerd.
-	// See https://github.com/cloudflare/workers-sdk/issues/9238 for more details.
-	if (targetConsumer === "dev" && local) {
-		const stripCfConnectingIpHeaderFileToInject = path.join(
-			tmpDir.path,
-			"strip-cf-connecting-ip-header.js"
-		);
-
-		if (!fs.existsSync(stripCfConnectingIpHeaderFileToInject)) {
-			fs.writeFileSync(
-				stripCfConnectingIpHeaderFileToInject,
-				fs.readFileSync(
-					path.resolve(
-						getBasePath(),
-						"templates/strip-cf-connecting-ip-header.js"
-					)
-				)
-			);
-		}
-
-		inject.push(stripCfConnectingIpHeaderFileToInject);
-	}
-
 	// When multiple workers are running we need some way to disambiguate logs between them. Inject a patched version of `globalThis.console` that prefixes logs with the worker name
 	if (getFlag("MULTIWORKER")) {
 		middlewareToLoad.push({